[Accred-Model] Token-based approach to WHOIS access

[Rubens Kuhl]

Hi all.

After reading the Article 29 WP letter to ICANN (https://www.icann.org/en/system/files/correspondence/jelinek-to-marby-11apr18-en.pdf), I started envisioning what process and system could achieve GDPR compliance. What I came to is a token-based system, which would work like this:
- Every request is analyzed by a human at an "RDS Clearinghouse". Each request can be for a single data element (like "owner of domain X") or to multiple data elements (like "domains owned by the same owner of domain X"), but requests for multiple data elements are only foreseen to be processed by contracted parties with "Search WHOIS" contract requirements.
- Clearinghouse issues a token with query parameters, data elements authorized for response, identity of authorized party, reason for authorization, validity (probably in the order of days), also informing which endpoint to go to.
- Authorized party uses that token to access that endpoint, managed by the party with most data about that element (usually a registrar).

Note that is not a replacement for credentialing; credentials would still be necessary to get tokens. This is also orthogonal to discussions like which use cases are legitimate or not, GDPR-compliant or not etc.; it's just a more granular approach to authorization that looks more inline with privacy-oriented guidelines including but not limited to GDPR.


Rubens







-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 528 bytes
Desc: Message signed with OpenPGP
URL: <http://mm.icann.org/pipermail/accred-model/attachments/20180413/f2d120b9/signature.asc>